Definitions:

  • The customer is the "Data Provider."
  • The hosting provider is the "Data Collector."
  • The "Data Processing and Confidentiality Agreement" describes the location of your data at all times.

Before July 16, 2020:

GDPR was in place, and data flowing inside the EU needed to comply with GDPR. Data that may flow outside the EU was covered by Standard Contractual Clauses (SCC). The EU and the US had a separate agreement, which was called Privacy Shield.

After July 16, 2020 Schrems II ruling:

The EU Schrems II was a landmark ruling as it invalidated the Privacy Shield/SCC agreements in there original form.

Scenarios for your GDPR data:

1. Data stored in the EU, and the parent "Data Collector" company is incorporated in the EU;

  • No problem - you don't need to do anything except following normal GDPR rules.

2. Data is stored in the EU. The "Data Collector" is incorporated in the EU but has data centers outside the EU;

  • Then you must have a written guarantee from the "Data Collector" that your data does not leave the EU. The "Data Collector" provides the guarantee by issuing a signed "Data Processing and Confidentiality Agreement."

3. Data is stored in the EU or outside the EU, but the "Data Collector" parent company is incorporated outside the EU;

  • It is your responsibility as "Data Provider" to ensure that the country where the "Data Collector" parent company is incorporated follows the EU GDPR requirement and the SCC. Countries outside the EU that have a legal precedent for obtaining data from EU countries companies without a court order cannot, by default, comply with GDPR.
  • If you want to use a US service provider these mandatory guidelines must be implemented by you.

If you need to transfer data outside the EU, you must, as a minimum, comply with the recommendations found in this link.